Hi Devs at Fineract - Notes from the ASF Community Over Code in Minneapolis.
Sunday - Infra track : ATR Automated Build and Release The talk is about the automated release process - and how ASF Tooling is advancing the process to allow for "mostly" on infra release process. First, if you don't know about the release process at ASF, it follows a set of policies. https://www.apache.org/legal/release-policy.html This is NOT an intro email to this subject. If you want to know about our release process at Fineract please see the current documentation and recent emails updating our release processes at this project. https://fineract.apache.org/docs/current/#_release_process --- In the NEW, still not fully released automation by ASF, there are some improvements coming. At a high level, the process goes like this. Security team : (project) Proves that your Build automation produces reproducible results Infra team: Generates the PMC GPG keys Saves private key as a repository secret PMC: Signs artifact with private key Tests reproducibility during the vote Adds public key to their KEYS file Drivers for the new ASF Trusted Release (ATR) interface Making it easier SBOM is becoming essential for ASF and automation is becoming vital. There is a demo of the new build process for new incubating projects. ==> release-test.apache.org High level flow: Compose Vote Finish I also met with one of the Grails project PMC team members who could give us some pointers. He suggested that we copy what they have done, which automates a full set of processes using Gradle. End to end. It would be useful to have a Committer here (can be anyone) to work on getting familiar with the new ATR and separately, those interested in supporting the release process, could discuss the Grails model - and how these two might be used together or to make improvements to our release process. see github/ tooling-actionblob/main/readme https://github.com/apache/tooling-actions/tree/main/release-on-atr see also new GHActions - that can be triggered is part of the process key new thing is the uploads of the artifacts go to the tool not to SVN I've (tentatively) signed us up to have Fineract be part of the beta release of this new tooling, Q4 this year into Q1 2026. The key thing for either of these efforts is getting a reliable Reproducible build. ie from the same release point generate a byte-same release artifact. Comments? Interest? Thanks, Jdailey
